Bugtraq mailing list archives
Re: Redir games with ARP and ICMP
From: flegel () MAIL BRAUNSCHWEIG NETSURF DE (Ulrich Flegel)
Date: Sat, 20 Sep 1997 11:41:44 +0100
A. Cox wrote: AC> You have a fundamental problem, and this is why neither IPv6 or bootp AC> are any more secure to these forms of attack. Unless you burn keys AC> into the roms or onto the disks of hosts by a non IP method you will AC> never be able to set up the first secure session to learn the others - AC> you have a problem akin to a PGP web of trust with nobody else to AC> trust. With IPv6 you can at least theoretically implement IP-ESP AC> (encryption headers) even on link layer "neighbour discovery" packets. You'll need those host-local keys in every case, yes. Otherwise you'd have to fear the man in the middle. AC> In IPv6 there is local IPv6 rather than ARP thus one day we can crypt AC> those too. Which is probably no good idea because the amount of data you crypt determines the weakness of the key in use. You'd better use the host-local key to establish some new SPI with your neighbour via some KMP. But the KMP access will trigger ICMPv6 neighbour discovery traffic. To cope with this problem you'd have to specify static SPI's between all of your machines (n*(n-1)), which doesn't scale well. It's all not THAT easy, is it? Read ya later,... Ulrich. PS: See http://www.ibr.cs.tu-bs.de/general/papers/sicherheit-flegel.ps.gz for further security implications of the IPv6 suite. It's my master thesis and it's written in german language, so probably it's not an option for all of you.
Current thread:
- Fake ps detection program (system V and /proc enabled machines), (continued)
- Fake ps detection program (system V and /proc enabled machines) Duncan Simpson (Sep 16)
- Java/JavaScript DoS Ian McKellar (Sep 16)
- Re: Fake ps detection program (system V and /proc enabled David Luyer (Sep 16)
- Re: CERT Advisory CA-97.23 - rdist Perry E. Metzger (Sep 16)
- Re: CERT Advisory CA-97.23 - rdist Alex (Sep 16)
- [IPD] Internet Probe Droid balif (Sep 16)
- Re: [IPD] Internet Probe Droid Keith A. Watson (Sep 18)
- Instresting practises of Oracle [Oracle Webserver] hurtta+zz () OZONE FMI FI (Sep 18)
- Redir games with ARP and ICMP Yuri Volobuev (Sep 19)
- Re: Redir games with ARP and ICMP Alan Cox (Sep 19)
- Re: Redir games with ARP and ICMP Ulrich Flegel (Sep 20)
- Blind Spoofing System Crasher (Sep 20)
- SunOS4.1.X sockopt panic HAKNER JEFF (Sep 20)
- Re: Redir games with ARP and ICMP John Goerzen (Sep 22)
- Fake ps detection program (system V and /proc enabled machines) Duncan Simpson (Sep 16)
- Re: CERT Advisory CA-97.23 - rdist Simon Karpen (Sep 16)
- Sun Security Bulletin #00154 Aleph One (Sep 17)